[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4

m.mescoli at omnib.it m.mescoli at omnib.it
Sun Sep 20 08:59:26 UTC 2009


Peter ha scritto:
> On 09/19/2009 08:22 PM, Darnell wrote:
>> Peter wrote:
>>> On 09/19/2009 04:20 PM, Grant wrote:
>>>   
>>>> I hope replying here is alright.  I'm trying to figure out if I'm
>>>> vulnerable to this.  I don't use [search-region] or ActionMap at all.
>>>> Does that exclude me?
>>>>     
>>> No, you are vulnerable if you use a Standard or Foundation based
>>> catalog.  You are vulnerable if you have a search results page that
>>> utilizes the Interchange standard search facilities anywhere, even if
>>> you do not use it.  If you think you might be vulnerable you probably
>>> are.  If you think you are not vulnerable then you still probably are.
>>>
>>> I recommend this update for ... pretty much everyone.
>>>
>>>
>>> Peter
>>>
>>>   
>> I know somethings that have not been address, different language search, 
>> like search in Chinese.
>> Also be able to run multiple stores.
> 
> I don't think this update will affect language searches, but please do
> test it before upgrading your live site.  I am very sure that it does
> not affect multiple stores as I have already run the upgrade for a
> client who has multiple catalogs running off of a single Interchange
> server and I'm sure I'm not the only one.
> 
> That said, if you have multiple catalogs running under a single
> Interchange server and they are accessed by different people who should
> not have access to files from the other catalogs (or indeed from any
> other files on the server itself), then you should definitely perform
> this update because it also addresses a separate security vulnerability
> that allows any catalog to access all files which are accessible to the
> system user that the Interchange server is running under.
> 
> 
> Peter
In my develop server i have quickly updated more catalogs from 5.6.0 to 
5.6.2 without any little problem. Test will continue ...

-- 
Marco "Fino alla bara sinpara"
Marco "Up to demise we rise"



More information about the interchange-users mailing list